CVE-2020-3222: Cisco IOS XE Software Web UI Unauthenticated Proxy Service Vulnerability
First published: Wed Jun 03 2020(Updated: )
A vulnerability in the web-based user interface (web UI) of Cisco IOS XE Software could allow an unauthenticated, adjacent attacker to bypass access control restrictions on an affected device. The vulnerability is due to the presence of a proxy service at a specific endpoint of the web UI. An attacker could exploit this vulnerability by connecting to the proxy service. An exploit could allow the attacker to bypass access restrictions on the network by proxying their access request through the management network of the affected device. As the proxy is reached over the management virtual routing and forwarding (VRF), this could reduce the effectiveness of the bypass.
Credit: ykramarz@cisco.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Cisco IOS XE Web UI | =16.10.1 | |
| Cisco IOS XE Web UI | =16.10.1a | |
| Cisco IOS XE Web UI | =16.10.1b | |
| Cisco IOS XE Web UI | =16.10.1c | |
| Cisco IOS XE Web UI | =16.10.1d | |
| Cisco IOS XE Web UI | =16.10.1e | |
| Cisco IOS XE Web UI | =16.10.1f | |
| Cisco IOS XE Web UI | =16.10.1g | |
| Cisco IOS XE Web UI | =16.10.1s | |
| Cisco IOS XE Web UI | =16.10.2 | |
| Cisco IOS XE Web UI | =16.11.1 | |
| Cisco IOS XE Web UI | =16.11.1a | |
| Cisco IOS XE Web UI | =16.11.1b | |
| Cisco IOS XE Web UI | =16.11.1c | |
| Cisco IOS XE Web UI | =16.11.1s | |
| Cisco IOS XE Web UI | =16.12.1 | |
| Cisco IOS XE Web UI | =16.12.1a | |
| Cisco IOS XE Web UI | =16.12.1c | |
| Cisco IOS XE Web UI | =16.12.1s | |
| Cisco IOS XE Web UI | =16.12.1t | |
| Cisco IOS XE Web UI | =16.12.1w | |
| Cisco IOS XE Web UI | =16.12.1y |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2020-3222?
CVE-2020-3222 has a severity rating of high due to its potential for unauthorized access.
How do I fix CVE-2020-3222?
To fix CVE-2020-3222, make sure to update your Cisco IOS XE software to a version that includes the necessary security patches.
What is the impact of CVE-2020-3222?
CVE-2020-3222 allows an unauthenticated attacker to bypass access control restrictions, which could lead to unauthorized actions on the device.
Which versions of Cisco IOS XE are affected by CVE-2020-3222?
CVE-2020-3222 affects multiple versions of Cisco IOS XE, including 16.10.1, 16.11.1, and 16.12.1, among others.
Is there a workaround for CVE-2020-3222?
Currently, there are no official workarounds for CVE-2020-3222, thus upgrading to a secure version is recommended.
- agent/type
- agent/softwarecombine
- agent/weakness
- agent/references
- agent/remedy
- agent/author
- agent/title
- agent/severity
- agent/description
- agent/event
- agent/first-publish-date
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/source
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/cisco
- canonical/cisco ios xe web ui
- version/cisco ios xe web ui/16.10.1
- version/cisco ios xe web ui/16.10.1a
- version/cisco ios xe web ui/16.10.1b
- version/cisco ios xe web ui/16.10.1c
- version/cisco ios xe web ui/16.10.1d
- version/cisco ios xe web ui/16.10.1e
- version/cisco ios xe web ui/16.10.1f
- version/cisco ios xe web ui/16.10.1g
- version/cisco ios xe web ui/16.10.1s
- version/cisco ios xe web ui/16.10.2
- version/cisco ios xe web ui/16.11.1
- version/cisco ios xe web ui/16.11.1a
- version/cisco ios xe web ui/16.11.1b
- version/cisco ios xe web ui/16.11.1c
- version/cisco ios xe web ui/16.11.1s
- version/cisco ios xe web ui/16.12.1
- version/cisco ios xe web ui/16.12.1a
- version/cisco ios xe web ui/16.12.1c
- version/cisco ios xe web ui/16.12.1s
- version/cisco ios xe web ui/16.12.1t
- version/cisco ios xe web ui/16.12.1w
- version/cisco ios xe web ui/16.12.1y